Uploaded image for project: 'Automation Hub'
  1. Automation Hub
  2. AAH-1914

object permission to delete an image not working

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 2.3
    • 2.3
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ANSTRAT-423 - Direct LDAP connection from Private Hub in App without another VM being required

      Description

      A user belongs to a group and this group is under the Owners tab in Execution Environments with roles Push to existing containers and Delete container repository (object permissions)
      But this user can't delete an image. If the role is assigned to the group (global) then the user can.

      Steps to Reproduce

      1- Create new user and new group

      2- Add user to group

      3- Create a role with these permissions:

      "container.delete_containerrepository",
      "container.namespace_push_containerdistribution"

      4- Create a local image container. To do this, I use command line like this:

      podman login --username admin --password admin https://localhost:5001 --tls-verify=false
      podman pull docker.io/library/alpine --tls-verify=false
      podman image tag alpine localhost:5001/ee_name:latest
      podman push localhost:5001/ee_name:latest --tls-verify=false

      5- Go to Owners tab and assign group and role from previous step.

      6- Login with user from step 1 and try to delete the image.

      Check screenshots

      Actual Behavior

      In Api tests: 403

      UI: No Delete option in kebab menu.

      Expected Behavior

      Deletion successful

       

       

       

      IQE test

      @pytest.mark.standalone_only
      def test_role_delete_image_from_ee_object_role(app, galaxy_client, skip_if_rbac_not_available):
          """
          Verifies that when a user
          """
          gc = galaxy_client("ansible_insights", ignore_cache=True)
          ee_name = create_local_image_container(app, gc)
          user, group = add_new_user_to_new_group(gc)
          permissions_user = ["container.delete_containerrepository",
                  "container.namespace_push_containerdistribution"]
          role_user = f"galaxy.rbac_test_role_{uuid4()}"
          gc.create_role(role_user, "any_description", permissions_user)
          add_owner_to_ee(gc, ee_name, group["name"], [role_user])
          gc_user = galaxy_client(user)
          gc_user.push_image(ee_name + ":latest")
          info = get_container(gc_user, ee_name)
          delete_image_container(gc_user, ee_name, info["data"][0]["digest"]) 

              jjerabek@redhat.com Jiri Jerabek
              ctorrens@redhat.com Christian Torrens
              Christian Torrens Christian Torrens
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: